Some vendors that do business with collision and service repair shops might be reselling their customers’ data in detail, or as an aggregate, to other third parties, the Automotive Service Association (ASA) cautioned.

“This practice raises concerns that shop owners might not be aware when their data, and their customers’ data, is being shared and/or sold,” ASA said. “As a result of this practice, shops could be incurring additional liability and potential exposure to lawsuits.”

To address the issue, ASA has developed a data-security policy agreement/addendum for shops aiming to ensure the protection of their customer data. To access the document, visit the ASA website.

“The protection of personal information and proprietary technical data is a priority for consumers, regulators, legislators and class-action attorneys throughout the United States and abroad,” said Mount Prospect, Ill., attorney Patrick McGuire. “As an industry, everyone should be doing everything within their power to prohibit the unapproved/unsolicited sharing of estimates and repair data that goes beyond the scope of what is necessary during the normal course of doing business.”

Irate Customer

Recently, one of ASA’s board members encountered a situation in which estimate data was unknowingly shared with CARFAX within 48 hours of the estimate being created, according to the association.

The board member said the consumer was irate because the value of his vehicle was affected. The consumer demanded to know why the shop shared the information without his consent.

“Shops need to take control of their data,” said Scott Benavidez, ASA’s Collision Division Operations Committee director. “Situations like this aren’t unique, and the potential for class-action lawsuits should cause everyone to lock down their data. Nobody should be profiting from the data we are generating on behalf of our customers.”

To date, the shop in question has not determined who shared the data. However, when asked, CCC Information Services – the preferred estimating system provider for the shop – replied with a letter from CARFAX Communications Director Larry Gamache stating, “CARFAX currently gathers information from more than 34,000 sources. However, CCC is not one of these. CCC does not report information from your facility to CARFAX.”

Bob Wills, ASA’s Mechanical Division Operations director, said the ASA data-security policy agreement/addendum is a tool designed to help shops protect themselves.

The document states that all information (data) provided to outside vendors is owned exclusively by the shop and provided for the sole purpose of conducting business. It does not grant the authority or privilege to share the data, sell it or repackage it in total or part without the express written consent of the shop.

“We believe that most third-party vendors in the industry do a great job of protecting a shop’s data, and they have policies and contractual language to highlight their commitment to doing the right thing,” Willis said. “We also know that there are a few vendors that profit from using the shops’ data without their express written consent. It’s time for the industry to take note and take control of their data.”